Red Hat Summit Red Hat Summit지원콘솔개발자평가판 시작연락처

Chapter 38. Configuring session recording by using the CLI

Learn how to configure user terminal session recordings using the System Security Services Daemon (SSSD), and how to manage and play back these recordings using the tlog command-line utility.

38.1. Session recording overview and components
링크 복사

Session recording captures and saves a user’s terminal activity. This provides a detailed, unchangeable record of all commands, output, and error messages, which you can use for auditing, troubleshooting, and investigating a security incident.

SSSD enforces the recording policies you define, and the tlog utility handles the actual recording and playback.

Components of the session recording

tlog utility
The tlog utility provides tools for recording and playing back terminal I/O. tlog-rec-session functions as an intermediary login shell and captures all data between the user’s terminal and shell. All tlog recordings are in JSON format. You can play back recorded sessions using tlog-play. Note that by default, terminal input recording is disabled for security reasons. For detailed configuration options, see the /etc/tlog/tlog-rec-session.conf file and the tlog-rec-session.conf(5) man page on your system.
SSSD
SSSD provides a set of daemons that manage access to remote directories and authentication mechanisms. When you configure session recording, SSSD overlays the user’s default shell with the tlog-rec-session program.

Limitations of session recording

  • You can configure session recording for the root user, but the root user has the privileges to disable or bypass the recording process, which makes the session recording unreliable for auditing purposes.
  • Terminal sessions in a GNOME graphical session are not recorded. This is because all terminals within a graphical session share a single audit session ID, which prevents tlog from distinguishing between them and capturing recordings correctly.

  • A logging loop can occur when viewing the journal. When a recorded user views the system journal or /var/log/messages, it generates new logs, which are then recorded and displayed, causing a loop of flooded output.

    To prevent the logging loop, view the journal in real time and filter out the log entries which create the loop: 

    journalctl -f | grep -v 'tlog-rec-session'
    Copy to Clipboard Toggle word wrap

    You can also configure tlog to limit the output. For details, see tlog-rec-session.conf man pages.

  • You must configure session recording on the target host for remote execution. For example, if you want to record a user’s session when they use ssh to connect to a remote system, configure the recording on the remote system they connect to.
  • All recordings are lost on reboot if systemd-journald service uses its default configuration to store the journal in-memory.

38.2. Enabling and configuring session recording with SSSD from the CLI
링크 복사

You can configure and enable session recording for specific users and groups from the command line.

When you configure session recording, you use SSSD to define which users or groups to record by setting the scope option to one of the following values:

  • none to record no sessions
  • some to record only specified users and groups
  • all to record all users

Prerequisites

  • You are using SSSD for authentication.

Procedure

  1. Install the tlog package: 

    # dnf install tlog
    Copy to Clipboard Toggle word wrap

  2. Open the sssd-session-recording.conf configuration file: 

    # vi /etc/sssd/conf.d/sssd-session-recording.conf
    Copy to Clipboard Toggle word wrap

  3. Specify the scope of session recording and the users and groups to record. For example: 

    [session_recording]
scope = some
users = <user_name_1>, <user_name_2>
groups = <group_name>
exclude_users = <user_name_to_exclude>
exclude_groups = <group_name_to_exclude>
    Copy to Clipboard Toggle word wrap

    For more details, see the sssd-session-recording(5) man page on your system.

  4. To enable the SSSD profile, run the following command: 

    # authselect select sssd with-tlog
    Copy to Clipboard Toggle word wrap

  5. Restart SSSD to load the configuration changes: 

    # systemctl restart sssd
    Copy to Clipboard Toggle word wrap

38.3. Playing back session recordings
링크 복사

The system journal stores session recordings. By default, it saves them in-memory, so you lose recordings on reboot unless you configure persistent storage.

You can play back recordings directly from the system journal by using the tlog-play utility. Alternatively, you can install the cockpit-session-recording package to manage and play back recordings on the RHEL web console.

Prerequisites

  • Terminal sessions have been recorded.

Procedure

  1. Optional: List recorded sessions: 

    $ journalctl COMM=tlog-rec-session
    Copy to Clipboard Toggle word wrap

  2. Play back a specific session: 

    # tlog-play --reader=journal --journal-id=<recorded_session_id>
    Copy to Clipboard Toggle word wrap

    For more advanced options, such as changing playback speed or fast-forwarding, see the tlog-play man page on your system.

Red Hat logoGithubredditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다. 최신 업데이트를 확인하세요.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

Theme

© 2026 Red Hat맨 위로 이동